Forgot your password?

Pwnie Express Rides Again at RSA 2014 (Video) 12

Posted by Roblimo
from the a-cute-name-plus-open-source-pen-testing-tickles-our-keys dept.
The intro to our first video interview with Pwnie Express 'Founder and CEO and everything else' Dave Porcello back in 2012 started with this sentence: 'Pwnie Express is a cute name for this tiny (and easily hidden) group of Pen Test devices.' They have more tools now, including some they've released since we mentioned them and their (then) new Pwn Pad back in March, 2013. Now they're working with Kali Linux, a distro built especially for penetration testing (and formerly known as BackTrack). In this video we have Tim Lord chatting with Dave Porcello about recent Pwnie Express happenings at RSA 2014. (If you don't see the video below, please use this link.)

Timothy Lord:So David, this is your third time at RSA, is that right?

David:Yes, third year.

Tim:Alright. And you are one of the few companies here that is actually explicitly doing open source, which is one reason we’ve visited with you in the past. What is going on right now with the Pwnie products?

David:So with the products right now, we keep expanding on what we’ve been doing. So we came out with the Pwn Plug R2 which is the natural successor to the original Pwn Plug. We basically just listened to our customers over the years and we integrated all the things that everybody was asking for. So it has more storage space, it is faster, it has more memory. It has more tools on it. It is now based on Kali Linux which is an open source project, which used to be called BackTrack. So we can leverage that whole project and that whole community as well.

Tim:Do people catch on that there is such a product in the world? You find that there’s just widespread knowledge that not every power plug is innocent as it looks, that people somehow spot your products?

David:I think in some cases, it is starting to catch on, but I am still pretty amazed at how little for example, the Power Pwn product, somebody came to our booth and was cursing us because his upper management made him actually go through their entire enterprise facility disassembling every power strip in the building to look for hidden computers. Which to me was kind of silly because it is like all of a sudden, yes, you can hide a computer inside of anything, that shouldn’t have been such an eye opener from my point of view, and it is not just power strips you should be if you are really concerned about it, a computer could be hidden inside of absolutely anything.

Tim:That certainly works in your favor in the long term, as people only look at power strips.

David:Yeah, yeah.

Tim:Now your company, and again it is interesting that you go from a free software powering all the hardware has used that to grow, what is your company’s growth rate right now? What is your trajectory I should say?

David:Well, it has been crazy. So a year ago, when I last talked to you, we had about 5 employees, now we have 15 fulltime employees. We raised a round of venture capital funding in June of last year. Our revenue has doubled since then. So we keep going on the same track that we were going on. But believe it or not, we actually decided to reduce and simplify our product line. So we are going to have like two main product lines. Now that we are starting to collect information about what people are actually doing with our products, we can make better decisions about what the most important products and features are. So we can scale it down, and still keep 90 percent of our customer base happy with two product lines that we decided. So there will be a mobile line, that is the Pwn Pad, and there is going to be a Pwn Phone version that is coming out, that everybody’s been asking about.And there will be like a fixed sensor line, and that’s the Pwn Plug and the Pwn appliance. We are going to probably just keep two or three products per product line going forward.

Tim:Have you noticed anybody else following the same business model that you are doing, or taking hardware and integrating it this way?

David:Yeah, there are a few. Like you said earlier, I think most of these vendors are using open source software even if it is just a Linux based OS in most of their products. None of them talk about it.But they are a few that do openly talk about it. I think it is a very successful business model that makes a lot of sense and also supports the core community that is making all this stuff.So it is definitely a proven thing. So like Alienvault is one example, they have proven that out, they’ve done that. It is an open source SIEM and they released a community edition, and it is just a stack of open source tools for doing security monitoring. And then they have an enterprise offering on top of that, basically the Web UI, that makes all these tools easy to use.These tools are really powerful, the problem is most of them are command line only, and they are tough to configure if you are not really up on that stuff. So Alienvault nexus started off as an open source project but then they closed the source.And in Rapid 7, they started off with Metasploit then they basically purchased an open source project but they still kept the Metasploit framework open source and they have a community edition and all that stuff too.We come at it from the view that we actually like the community, and we are part of the core information security community. So we just want to support that community. But as it turns out, it is actually a business model that can work too—it is a bonus.

Tim:Now you have had the chance to get some open source product, earning venture capital for yourself too, what does that let you do? How does that change how your business works?

David:So it is basically a scaling thing.What we are seeing is, we have thousands of customers right now, there are thousands of Pwn devices out there, but what we are seeing is folks are mostly using them to assess remote locations, remote sites like hard-to-reach infrastructure. So we are talking about like branch offices, retail stores,____5:52environments, industrial control environments, anything from like remote little utility power stations, or ISP colo shacks in the middle of nowhere, to gas stations, to hotels, to international branch offices How do you do your security assessments across that? Headquarters are fairly well covered at this point, at most headquarters locations, they have their BigIron solutions in place, but branch offices have been largely overlooked.And we all see the result of that, these breaches target and all the stuff that’s happening.So we realized that we are actually the perfect solution for that, because you can’t deploy these expensive BigIron solutions that scale, a lot of these security appliances cost anywhere from $30,000 to $100,000 apiece. If you have 3000 retail stores, you can’t buy 3000 of those.

Tim:It is good to be a big fish in the low end.

David:Yeah. So in order to scale, the solution per location has to be really cheap. And we are already there. So all we have to do is and what we’ve already done is actually build a central management console for all of these things. And now we’re upgrading that into something that’s a lot more robust, and the first space that we are focusing is just basic visibility, because when we talk to a lot of these large distributed enterprises, we see basically we’ve boiled it down to one question. When we go in to talk to these folks, we say: Can you give us a list of all the devices that are plugged into all of your branch offices, both wired and wireless devices? And the answer is always no.So we took a step back, and said, “Okay let’s just focus on solving that problem first. Let’s just get that basic visibility.” Like show me all the stuff that’s hooked up to my enterprise.That question still hasn’t been answered today.

Tim:One more question. The influx of capital, and having a few more people around, has it changed your role in the company?

David:Yeah, in a good way.Yeah. This is part of my whole plan built for it. I think it made more sense for the company and it made the most sense for me personally. Because I don’t have an MBA, and I am not a traditional businessperson—I am just a geek that happened to create a product that turned into a company. So I am handing over the executive and administrative, and sales and marketing pieces to other people that are more qualified to do that, so that I get back to the fun stuff, the R&D and the engineering parts.

Tim:And do you think, what should we know coming out of that, to expect in the near future?

David:Yeah, there is a lot of stuff that’s coming out.I can’t talk about all of it. But you are going to see, before Black Hat, I can say we’ll see a new Pwn phone which is going to be similar to the Pwn Pad but with much newer Pwn hardware you know, much faster than the old Pwn phone, much more feature rich.And then I am working on expanding, how can I do it in a big way, expanding our coverage on the wireless spectrum into many other areas of the wireless spectrum. So instead of just Wi-Fi and we have Bluetooth support as well, like long range Bluetooth, we are starting to expand to do discovery and assessment of other wireless frequencies that are actually really vulnerable that are part of our critical infrastructure as a country right now. So I’m talking about industry wireless like ZigBee and Z-wave, stuff that is used for industrial automation systems, and it is used in power plants, it is used in the smart grid, the power grid technologies, water control systems, home physical security systems, and the security of it is just terrible. So that is part of what we asa company we just at the same time that we are building these products, we will assess these things, we are helping also to expose these problems to the general public and hopefully get some press out of it so that we can actually change how these things get rolled out. Maybe you should have the default password changed on a nuclear control system, before you deploy it into production.

Tim:That sounds like a good fear to actually play on.

David:Yeah. And air traffic control communications are still unencrypted and unauthenticated problems like that we are hoping to bring to the forefront. We are planning on having some events and workshops to actually help solve some of these problems.

Tim:Pretty ambitious problems here.

David:You know, I am all about picking one problem and solving it as a proof of concept. Instead of trying to solve many problems and change the way the world works, how the government works, I feel like if you could just take one small problem and prove that it actually can be solved, that you create a formula that can then be reproduced. And it is just many little problems instead of one giant problem, because we all see that trying to solve one giant problem doesn’t seem to be working for the governments of the world or most enterprises.

Tim:Sounds like good advice for businesses and governments.

David:Yeah. Start small.

This discussion has been archived. No new comments can be posted.

Pwnie Express Rides Again at RSA 2014 (Video)

Comments Filter:

Life would be so much easier if we could just look at the source code. -- Dave Olson